2015-12-14 9:43 GMT+01:00 Nikos Mavrogiannopoulos <[email protected]>: > On Sun, Dec 13, 2015 at 9:34 PM, Tobias --- <[email protected]> wrote: > > Hello! > > > > I'm trying to create a certificate that contains the necessary options to > > let libvirtd service work to as intended with remote control over TLS. > > > > I have created my own CA using certtool and the problem that I'm having > is > > with the server certificate. > > The template that I'm using when I create the CSR is as follows: > > organization = "Local libvirtd" > > unit = "libvirtd server" > > cn = "oink" > > country = "SE" > > state = "Sweden" > > expiration_days = 1095 > > tls_www_server > > signing_key > > encryption_key > > I've also tried to make certtool honour the extensions which it does to a > > certain degree. The "encryption_key" is not honored even if I try to > enforce > > it using the "honour_crq_extensions" option as well as using the above > > template when I sign the CSR with the CA. The resulting PEM-encoded > > certificate generates the following error during startup of libvirtd: > > Hi, > Could you send the command set that reproduces that? Note however, > that if you have access to the CA key you don't need to go through a > CSR to generate a certificate. You can generate it directly from the > template. > > regards, > Nikos >
Hi! The reason that I'm creating a CSR and then a CRT is because I'm going to create multilple certificates. I need to create certificates for my client to so I want to do it the same way for both server and client. I am aware that I can create the certificate in one go. The commands that I use are as follow: certtool --generate-request --load-privkey serverkey.pem --template server.info --outfile servercsr.pem --hash=sha512 # The template "server.info" is what I pasted in the first post. certtool --generate-certificate --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template server.info --load-request servercsr.pem --outfile servercert.pem --hash=sha512 # If I give it the template here then I don't get a bunch of questions. If I don't then I get what I specified for the CSR but if I answer YES to the question about TLS web server then I get that extension listed twice in the certificate. If I omit the template and answer the questions then I don't get any question regarding key encipherment and I still get the same result. I get the same result regardless of what I do. Best regards, Tobias
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
